Challenges to effective business continuity planning
Year after year, the likelihood of a business-destroying critical event only seems to increase. Yet somehow, business continuity planning – the collection of resources, actions, procedures, and information, designed to prepare organizations to maintain essential functions in the event of a disaster or other major disruption–hasn’t made it to the top rung of C-suite priorities.
The proof: IBM research found that fewer than 20 percent of business continuity management (BCM) and IT security specialists (a paltry 17 percent in actuality) say that their organizations have a formal business continuity plan (BCP). That’s over 80 percent of businesses’ risking extraordinary financial loss and (even) closure in the event of a critical event. What’s going on, here?
The short answer is it’s complicated – frustrating, I know. Indeed, business continuity planning helps ensure the continuous delivery of critical services and products to customers and minimize impacts to the business. But the challenges to developing an effective business continuity plan can be legion. They even start with basic definition and terminology. For instance, it’s not uncommon for organizations to misunderstand the actual scope of business continuity planning, when, in fact, the end-BCP stands distinct from all other forms of all-hazards planning.
From whence comes the confusion? Well, the field of business continuity management did first emerge as an offshoot of another all-hazards discipline, crisis management. Of course, BCM today is its own holistic management practice, prescribing a distinct process for identifying potential threats to an organization and the operational impacts those threats pose. In turn, the primary task of business continuity professionals has also shifted to building durable frameworks for organizational resilience, in compliance with regulations and prevailing business standards. And it’s in the execution of this core responsibility that business continuity professionals come into close contact with other all-hazards practitioners.
Yet somewhere on the way to the C-suite, BCM priorities get bungled. Specifically, we often hear from practitioners’ decrying a lack of commitment and involvement from their senior managers, the crucial gateway to getting any major, cross-functional project off the ground. Even when that C-level sponsorship is secured, it’s not always a given that senior leadership is fully invested in business continuity planning for the right reasons. Executives aren’t above “going through the motions,” trying to feign compliance with important standards to regulators and customers.
As an aside: standards and regulations themselves change quickly. Remember, jurisdictions have moved in aggressively to mandate baseline BCM practices for organizations, especially in the critical infrastructure space. The International BCM standard, ISO 22301, for one, is a means of signaling to legislators and regulators that the compliant organization is indeed adhering to best practices in the field.
Mind you, the best-intentioned organizations can get business continuity planning wrong, too. The sheer number of variables that go into building an effective BCP, properly tailored to your specific challenges, are positively mind boggling. It’s just too easy to make any number of routine mistakes along the way. For one, without access to the right data, analysts can misjudge an organization’s data recovery requirements: business continuity planning involves documenting procedures to guide how organizations will respond to and recover from a disruption; and that’s why putting together the actual plan usually falls to a governance committee. Mistakes are also made at the risk assessment stage and spiral from there, as successive interlocutors fail to question assumptions and consider limiting factors.
How then to make business continuity planning work at your organization? Sure, it’s not simple, but with the right guardrails in place, you can build a BCP that covers the resources, services, and activities required to ensure the continuity of critical business functions.
For more great content from Noggin, visit our Resources Center.